Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Mamba Ransomware Encrypts Hard Drives Rather Than Files

A new ransomware strain called Mamba opts to encrypts hard drives rather than individual files and folders stored on the local disk.

Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive.

The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.

Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.

“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”

The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.

The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.

Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives.

Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.

More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.

Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.